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About me 



David Kennedy "Rel_1K" - Partner, Practice Lead at SecureState 

. Areas of expertise: Penetration Testing, Python, Web App Security, Wireless, 
Physical, Exploits 

. Years of Experience: 9 years 

Prior Life 

. Marine Corps Intelligence (oxy moron?) - Couple tours in Iraq 

. Developed wireless intercept systems 

. Instructor for the intelligence agency on wireless and forensics 
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Fast-Track history 



Breaking into a client, realized that either the tools I needed didn't exist, or 
they really just sucked. 

Started off as automating current methodologies during a penetration test 
and making life easier and adding new ways never done before for breaking 
into a network. 

Worked with the BackTrack guys, thought it was a cool concept and began 
incorporating it into the BackTrack suite. 




securesta 



fast- 

WHERE IPS OK TO FINISH IN UNDER 3 MINUTES. 



c 



What IS Fast-Track 



. Suite of custom coded tools that automate some pretty wicked attacks. 

. It's designed for penetration testers to help automate some attacks they may 
not have been able to do before. 

. Main purpose: exploit various weaknesses to gain root to the system. 

. Some new ways of payload delivery never done before (we'll talk about that) 

. Help security teams identify weaknesses within their network 
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Scenarios 



♦ Scenario 1 - SQL Injection on steroids 



. Scenario 2 - MSSQL Bruting with a twist of lime 



. Scenario 3 - Query string pwnage 



. Scenario 4 - Exploit rewrite 



. Scenario 5 - Destroying the client 



. Scenario 6 - Autopwnage 
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Scenario 1 



. You're a pentester attacking CompanyX. 



. 1 Host responds: Web Server, port 80. 



♦ What do you do? 
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Lets pop a box. 
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Demo on SQLPwnage 



♦ Scan for web-servers 



. Auto crawl web-site 



. Fuzz all post parameters (query string parameters coming soon) 



. Blind + Error based 



♦ Attempt to elevate SQL "sa" rights on MSSQL 



. Re-Enable XP_Cmdshell if disabled and disable data execution prevention 



. Drop our payload on the affected system using the hex to binary conversion 
bypass (will explain) 



. Full system ownage. 
secu restate 
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Diagram 
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Explanation of what just happened... 



. SQL Injection to a MSSQL back-end, a series of commands were performed to elevate 
permissions, re-enable xp_cmdshell, and start to echo files on the underlying operating 
system. 

. There is a payload delivery method using windows debug, this method takes specially 
formatted hexadecimal files and uses windows debug to convert our hex back to a 
binary. Slight problem with this technique is it has a limit of 64kb. If our payload is 
larger than that, we have an issue (examples meterpreter, vnc, etc.) 

. Most attacks using this method drop a stager (like netcat for example) and netcat will 
initiate an outbound connection to download an additional payload (often called a 
stager). Instead we created a small 5kb executable that takes in raw hex and spits out 
binary. 



. So we use our "stager" using the windows debug method for our 5kb file, then use our 
custom application to then convert raw hex to 

binary completely bypassing the 64kb restriction. 



securesta 




fast- 

WHERE IPS OK TO FINISH IN UNDER 3 MINUTES. 



c 



Explanation continued 



So now that we successfully bypassed the 64kb restriction on windows 
debug, this allows us to drop whatever payload we want. 

The payload is then converted to binary, executed on the server, and 
originates its connection from the SQL server back to our machine. 
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Scenario 2 



♦ You're a pentester for CompanyX 



. Internal Penetration Test 



. Organization primarily uses MSSQL. 



♦ What do you do? 
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Lets pop a box. 
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Explanation of SQL Bruter 



♦ Looks for SQL servers 

. Brute forcers the SQL "sa" account, this is an account typically installed by 
default if using SQL/Integrated auth. 

. Elevates rights, re-enables xp_cmdshell, disables DEP, drops our hex to 
binary stager, drops our payload on the system. 

. From here we have full access. 
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Scenario 3 



♦ You're a pentester for CompanyX 

. You scan a subnet, 1 web server responds on port 80. 

♦ You manually investigate and identify a query string parameter is susceptible 
to SQL Injection. Back-end database identified as MSSQL. 

♦ What do you do? 
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Lets pop a box. 
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SQL Injector 



When you already know a site is susceptible to SQL Injection, the SQL 
injector helps you out by doing all the work for you. Supports both post 
parameters and query string parameters. 
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Binary to Hex Generator 



. Remember we've been talking about that special format needed to deliver 
our payloads? There's a generator in there that creates the format for you if 
you want to use your own custom payload. 
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What the output looks like 



ki 



ffl^8-;^5XK 
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File Edit View Terminal Jabs Help 



GNU nano 2.8.7 



File: binarypayload. txt 
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Scenario 4 



♦ You're a pentester for CompanyX 

. Do service identification on remote hosts and identify a vulnerable service. 
Box is running Windows 2003 SP2 R2 and there's no exploit available for that 
version. 

♦ What do you do? 
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Lets pop a box. 
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Exploit Section 



. Exploits that are generally not in Metasploit will be placed in the exploit 
section. I typically rewrite them as universals so they support all OS's (at 
least most of them). 
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Scenario 5 



♦ You're a pentester for CompanyX 

. Normal avenues through the external presence aren't working. They have 1 
web server open. It's all static HTML pages. One of the pages has a company 
listing of point of contacts within the organization. 

♦ What do you do? 
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Lets pop a box. 
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Mass Client-Side Attack 



♦ The mass client-side attack imports all metasploit client-side attacks and a 
few custom ones that weren't inside metasploit and creates a custom web 
server with a ton of iframes. 

. As soon as someone connects to us, all mayhem is started and massive 
amounts of exploits launched at the connecting systems. 

. Can also piggy back Ettercap and do ARP cache poisoning to perform a man 
in the middle, replace all HREF's on the victim and as soon as he browses a 
web-site, it redirects them to our malicious site. 
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Scenario 6 



♦ You're a pentester for CompanyX 

. On an internal penetration test you identify a patch missing on two systems, 
NetBios is un-patched and is susceptible across the entire network. You want 
a ton of shells to each system vulnerable. 

♦ What do you do? 
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Lets pop a box. 
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Autopwn Automated 



. Anyone ever used Metasploit's autopwn functionality? It's like 10 different 
commands, so I wrote a quick plugin to automate the process. Specify an IP 
Address, Range, or whatever and let er' rip. 

. Just a warning, in a pentest this is a highly unlikely scenario, typically you 
would only run it on maybe 1 or 2 ports, anything past that you will be picked 
up, and you will probably down a server, network device, or the entire 
company. 
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Update Menu 



Fast-Track now utilizes subversion for version tracking, before it used a 
custom MD5 update script for pulling the latest versions. 

Fast-Track also attempts to keep primary tools up-to-date, this includes 
Metasploit, AirCrack-NG, W3AF, milwOrm exploits, nikto plugins, and SQL 
Map. 
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Different Modes 



. Fast-Track comes with a few different modes, command line mode, menu 
mode, and the web GUI. Let's walk through them... 
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More information 



♦ http://www.thepentest.com 



I < | T O } C ; J C^O C U http: //www.t he pentest.com / 



♦ If you want Fast-Track RIGHT 
now, svn co 

http://svn,thepentest,com/ 
fasttrack 
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Welcome to the Fast-Track v4 Wiki and Bug-Tracker 

Welcome everyone to the Fast-Track v4 Wiki and Bug-Tracker home page. Here you will find various amounts of in 
enhancements and bugs to the bug-tracker. 

For those of you new to Fast-Track, Fast-Track is a python based open source project aimed at helping Penetration 
originally conceived when I was on a penetration test and found that there was generally a lack of tools orautom; 
to reproduce some of my advanced attacks and propagate it down to my team at SecureState, I ended up writi 
of client-side da:a within wej applications, paten management, or lack of hardening techniques. All of these are r< 
common findings for us. Fast Trac< a-ms the dc ic.-ation tester with advanced attacks that in most cases have ne 1 

- Dave Kennedy 

To download Fast Track use the fc Iciv'-i:, c 

Tc u j date Fas'. Trock use ".ne Tc lowing eon 

Fast-Track Developers 



mm and svn co http://svn.thepentest.com/fasttrack 

nand: svn update or update through the Fast-Track menu. 



David Kennedy aka ReLIK -■ Lead Developer and Creator 
Rob Gouin aka rBg -- Web Interface and logo design 

Andrew Weidenheimer aka Leroy Jenkem SQLPwnage Developer 
Scott White aka Sasquatch -- SQL Guru Developer 
John Melvin aka Whipsmack Malware Developer 

Special thanks to everyone that has contributed to Fast-Track in the past: 

Static, Sasquatch, Sleepless, Zero_Chaos, Leap, Muts, Max, Pure-Hate, barbsre, Leroy [Jenkem), whipsmack, zipl< 

Latest Information on Fast-Track 
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For those of you new to Fast- Track, Fast-Track is a python based open -source project aimed at helping Penetration Testi 
conceived when I was on a penetration test and found that there was generally a lack of tools or automation in certain at 
of my advanced attacks and propagate it dow r n to my team at SecureState, I ended up writing Fast -Track for the public. '. 
applications, patch management, or lack of hardening techniques. All of these arc relatively simple to fix if you know w 
penetration tester with advanced attacks that in most cases have never been performed before, Sit back relax, crank opci 

-Dave Kennedy 

Click on one of the below links to get the latest SVN pull of Fast-Track or 

go to the bugtraekcr/wiki to post bugs or learn how to use Fast -Track. 

Fast-Track SVN Repository 
Fast-Track BugTracker and Wiki 

Fast-Ttack Movies 

Quick Fast -Track Mode Walkthrough 

Using SQLPwnage to pwn a box 

Fast -Track SQL Brutcr pwnagc 

SQL Injector attacking query string parameters 

SQL Injector attacking POST parameters 

Fast-Track Mass Client Attack pwning IE 

Fast-Track Autopwning a system 

Fast-Track exploiting MSOS-067 

Fast-Track Exploiting the IE XML exploit on IE 
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Coming soon in 4.1 



♦ Re-write of Metasploit's Autopwn to allow selectable payloads, interact as 
exploits are running. 

♦ Adding query string parameter attacks in SQLPwnage 
. Four new exploit rewrites as universal 

. Oracle exploitation module 
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That's it! 



You can download Fast-Track at: 

http://www.securestate.com 
http://www.thepentest.com 

Look at the bottom for "Free Tools" 
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